Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Permit whitelisting VMs for copy/paste & copying logs via tags #533

Merged
merged 7 commits into from
May 5, 2020
Merged

Permit whitelisting VMs for copy/paste & copying logs via tags #533

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
956cc10
Permit whitelisting VMs for copy/paste & copying logs via tags
eloquence Apr 10, 2020
846105e
Add @default rule so qvm-copy works
eloquence Apr 10, 2020
38dba62
Prefix all tags with sd-
eloquence Apr 14, 2020
3951038
Add script for removing SD tags from VMs
eloquence Apr 17, 2020
d23dd8c
Rescope clipboard permission to sd-app
eloquence Apr 21, 2020
49916a2
Run tag cleanup via Salt to avoid duplication
eloquence Apr 22, 2020
a04589a
Add require logic to clean-all state
eloquence Apr 29, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions MANIFEST.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ include dom0/*.top
include dom0/*.j2
include dom0/*.yml
include dom0/*.conf
include dom0/remove-tags
include dom0/securedrop-admin
include dom0/securedrop-login
include dom0/securedrop-launcher.desktop
Expand Down
32 changes: 32 additions & 0 deletions dom0/remove-tags
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
#!/usr/bin/env python3
"""
Removes tags used for exempting VMs from default SecureDrop Workstation
RPC policies from all VMs (including non-SecureDrop ones).
"""
import qubesadmin

q = qubesadmin.Qubes()

TAGS_TO_REMOVE = ["sd-send-app-clipboard", "sd-receive-app-clipboard", "sd-receive-logs"]


def main():
tags_removed = False
for vm in q.domains:
for tag in TAGS_TO_REMOVE:
if tag in q.domains[vm].tags:
print("Removing tag '{}' from VM '{}'.".format(tag, vm))
try:
q.domains[vm].tags.remove(tag)
except Exception as error:
print("Error removing tag: '{}'".format(error))
print("Aborting.")
exit(1)
tags_removed = True

if tags_removed is False:
print("Tags {} not set on any VMs, nothing removed.".format(TAGS_TO_REMOVE))


if __name__ == "__main__":
main()
7 changes: 7 additions & 0 deletions dom0/sd-clean-all.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,13 +46,20 @@ remove-dom0-sdw-config-files:
- /home/{{ gui_user }}/Desktop/securedrop-launcher.desktop
- /home/{{ gui_user }}/.securedrop_launcher


# Remove any custom RPC policy tags added to non-SecureDrop VMs by the user
remove-rpc-policy-tags:
cmd.script:
- name: salt://remove-tags

# Removes files that are provisioned by the dom0 RPM, only for the development
# environment, since dnf takes care of those provisioned in the RPM
{% if d.environment == "dev" %}
remove-dom0-sdw-config-files-dev:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may want to require the remove-rpc-policy-tags here to avoid potential race conditions or precedence issues when applying this state on uninstall (though I did not observe any errors in local testing, this might happen if we add tasks in the future)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, done in a04589a (I added the XFCE script because the same logic seems to apply to it); haven't re-tested yet. Can test in dev tomorrow if nobody beats me to it.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-tested in dev env w/ require logic, relevant output in https://gist.github.com/eloquence/9f9f8586034ccc4a57fe7bda900108cb, can confirm that files continue to be removed as expected.

file.absent:
- names:
- /opt/securedrop
- /srv/salt/remove-tags
- /srv/salt/securedrop-update
- /srv/salt/update-xfce-settings
{% endif %}
Expand Down
4 changes: 4 additions & 0 deletions dom0/sd-dom0-qvm-rpc.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ dom0-rpc-qubes.ClipboardPaste:
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
@tag:sd-send-app-clipboard sd-app ask
sd-app @tag:sd-receive-app-clipboard ask
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
dom0-rpc-qubes.FeaturesRequest:
Expand All @@ -35,6 +37,8 @@ dom0-rpc-qubes.Filecopy:
- marker_start: "### BEGIN securedrop-workstation ###"
- marker_end: "### END securedrop-workstation ###"
- content: |
sd-log @default ask
sd-log @tag:sd-receive-logs ask
sd-proxy @tag:sd-client allow
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
Expand Down
2 changes: 2 additions & 0 deletions rpm-build/SPECS/securedrop-workstation-dom0-config.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ install -m 644 dom0/*.top %{buildroot}/srv/salt/
install -m 644 dom0/*.j2 %{buildroot}/srv/salt/
install -m 644 dom0/*.yml %{buildroot}/srv/salt/
install -m 644 dom0/*.conf %{buildroot}/srv/salt/
install -m 655 dom0/remove-tags %{buildroot}/srv/salt/
install -m 644 dom0/securedrop-login %{buildroot}/srv/salt/
install -m 644 dom0/securedrop-launcher.desktop %{buildroot}/srv/salt/
install -m 655 dom0/securedrop-handle-upgrade %{buildroot}/srv/salt/
Expand Down Expand Up @@ -92,6 +93,7 @@ install -m 644 launcher/sdw_util/*.py %{buildroot}/srv/salt/launcher/sdw_util/
/opt/securedrop/launcher/**/*.py
/srv/salt/sd*
/srv/salt/dom0-xfce-desktop-file.j2
/srv/salt/remove-tags
/srv/salt/securedrop-*
/srv/salt/update-xfce-settings
/srv/salt/fpf*
Expand Down
3 changes: 2 additions & 1 deletion scripts/securedrop-admin.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,8 @@ def main():
elif args.uninstall:
print(
"Uninstalling will remove all packages and destroy all VMs associated\n"
"with SecureDrop Workstation."
"with SecureDrop Workstation. It will also remove all SecureDrop tags\n"
"from other VMs on the system."
)
response = input("Are you sure you want to uninstall (y/N)? ")
if response.lower() != 'y':
Expand Down
4 changes: 4 additions & 0 deletions tests/vars/qubes-rpc.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
- policy: qubes.ClipboardPaste
starts_with: |-
### BEGIN securedrop-workstation ###
@tag:sd-send-app-clipboard sd-app ask
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also think using sd-app here makes sense: the intent of the sd-client tag is to support dev environment for opening in dispVM and using split GPG (see 784076d)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can revisit this later, should this be an issue in developer's environment. It should be a small diff that is easily applied on new and existing workstations

sd-app @tag:sd-receive-app-clipboard ask
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
### END securedrop-workstation ###
Expand All @@ -15,6 +17,8 @@
- policy: qubes.Filecopy
starts_with: |-
### BEGIN securedrop-workstation ###
sd-log @default ask
sd-log @tag:sd-receive-logs ask
sd-proxy @tag:sd-client allow
@anyvm @tag:sd-workstation deny
@tag:sd-workstation @anyvm deny
Expand Down